Chat with Experta

User
What are mandatory documents for ISO 27001?
Experta
ISO 27001:2022 specifies the following documents as required (no matter if a company is large or small, or which industry it is in) - the auditor will ask for all of these documents:
- Scope of the ISMS—Clause 4.3 (usually documented as ISMS Scope document)
- Information security policy—Clause 5.2 (usually documented as Information Security Policy)
- Risk assessment and risk treatment process—Clause 6.1.2 (usually documented as Risk Assessment and Treatment Methodology)
- Statement of Applicability—Clause 6.1.3 d) (usually documented as Statement of Applicability)
- Risk treatment plan—Clauses 6.1.3 e, 6.2, and 8.3 (usually documented as Risk Treatment Plan)
- Information security objectives—Clause 6.2 (usually documented as List of Information Security Objectives)
- Risk assessment and treatment report—Clauses 8.2 and 8.3 (usually documented as Risk Assessment & Treatment Report)
- Inventory of assets—Control A.5.9 (usually documented as Inventory of Assets or List of Assets in the Risk Register)
- Acceptable use of assets—Control A.5.10 (usually documented as IT Security Policy)
- Incident response procedure—Control A.5.26 (usually documented as Incident Management Procedure)
- Statutory, regulatory, and contractual requirements—Control A.5.3 (usually documented as List of Legal, Regulatory, and Contractual Requirements)
- Security operating procedures for IT management—Control A.5.37 (usually documented as Security Procedures for IT Department)
- Definition of security roles and responsibilities—Controls A.6.2 and A.6.6 (usually documented as agreements, NDAs, and specifying responsibilities in each security policy and procedure)
- Definition of security configurations—Control A.8.9 (usually documented as Security Procedures for IT Department)
- Secure system engineering principles—Control A.8.27 (usually documented as Secure Development Policy)

Note: ISO 27001 documents or records required by Annex A controls are mandatory only if there are risks or requirements from interested parties that would demand implementing those controls.

ISO 27001 also specifies the following records as mandatory:
- Trainings, skills, experience, and qualifications—Clause 7.2 (usually documented as Training certificates and CVs)
- Monitoring and measurement results—Clause 9.1 (usually documented as Measurement Report)
- Internal audit program—Clause 9.2 (usually documented as Internal Audit Program)
- Results of internal audits—Clause 9.2 (usually documented as Internal Audit Report)
- Results of the management review—Clause 9.3 (usually documented as Management Review Minutes)
- Results of corrective actions—Clause 10.2 (usually documented as Corrective Action Form)
- Logs of user activities, exceptions, and security events—Control A.8.15 (usually documented as automatic logs in information systems)